As a species, humans can be spectacularly bad at evaluating risk. We see danger where there is none, and we somehow miss far more likely hazards that are right in front of us.

What does this have to do with cybersecurity? Everything, as it turns out.

“From our investigations, we know that most companies fall victim to attackers either because of unpatched software with known vulnerabilities, or because of the human factor, for example people falling victim to phishing emails. And still, companies are fixated on zero days and the newest methods of attack, which are often fairly restricted and obscure,” says Janne Kauhanen, cybersecurity expert at F-Secure.

We know that most companies fall victim to attackers either because of unpatched software with known vulnerabilities, or because of the human factor, for example people falling victim to phishing emails. And still, companies are fixated on zero days and the newest methods of attack, which are often fairly restricted and obscure, Janne Kauhanen, F-Secure

At a time when security spending is rising, that is not a promising pointer to wise investment. Almost three-quarters of IT security professionals expect their budgets will increase in the next 12 months—having grown by 58% over the previous 12 months. But here is the rub: 26% reported a breach in the past year, 68% overall say they have experienced a security incident, and 30% of respondents describe their organisations as ‘very’ or ‘extremely’ vulnerable.

The findings come from the 2017 Thales Data Threat Report, which suggested a disparity between the security technology that organisations continue to invest in and the actual needs of the business.

Shelfware spendingThom Langford, CISO, Publicis Groupe, agrees. “I’ve had discussions with people about shelfware and it tells me they are responding to the wrong risks. They are buying software because someone somewhere has said ‘this is a risk and we should mitigate it’. It’s obviously still a problem,” he says.

“There’s a knee-jerk reaction to spend money on technology, and to think ‘why don’t we just buy software to fix this, or put in more firewalls?’ Actually, you have to look at behaviour, attitudes and culture. Phishing attacks wouldn’t work if people were more conscious of them,” Langford adds.

It is not the IT department’s fault that they have been looking at the wrong things, suggests Mike Harris, head of cybersecurity services at Grant Thornton. “Some have been spending indiscriminately, but that’s good because they’re bringing their security up to a better baseline level. There are certain things you need to have, such as a level of monitoring on network. It’s no longer enough to have the preventative measures like anti-virus and firewalls.”

Tone from the topThe problem is more fundamental than that, Harris adds. “The IT teams don’t understand the value of the information they’re being asked to manage. In the absence of business guidance, they have no choice but to protect everything. This is all about tone from the top. The business side of organisations need to take the lead on this, and understand the controls that IT puts in place are a control to protect what’s important.”

Last September, the Central Bank of Ireland issued cross-industry guidance on information technology and cybersecurity risk for regulated firms. It urged boards to take a more active role in overseeing security, and warned organisations to expect breaches.

Based on inspections at several firms, the Central Bank uncovered weaknesses in IT risk management and governance, including poorly aligned IT strategy and overall business strategy; IT capabilities not matching business ambitions; poor identification, monitoring and mitigation of IT risks; and older technology supporting key business operations and requiring significant resources and investment to manage associated risks.

There’s a knee-jerk reaction to spend money on technology, and to think ‘why don’t we just buy software to fix this, or put in more firewalls?’ Actually, you have to look at behaviour, attitudes and culture. Phishing attacks wouldn’t work if people were more conscious of them, Thom Langford, Publicis Groupe

The report also found shortcomings in identifying and evaluating IT risk. It said many firms don’t maintain comprehensive IT risk registers, and they identify risks by looking back, not forward.

Reactive approachChris Casey, services director at PFH Technology Group, says the Central Bank findings are consistent with his own experience. “I don’t think security hits the top 10 on a board’s agenda. I rarely hear it, unless they’ve been attacked or breached. That’s a problem, because then they’re reacting to the breach, rather than preventing it. Many companies haven’t invested enough in their security. There’s no productivity gain in installing a safe or a lock on the door, but you need to consider the lack of productivity if you decided to leave all doors open. It’s time to see security as a cost of doing business,” he says.

Improving that situation calls for closer engagement between business and IT, says Kelvin Garrahan, senior manager for cyber risk services at Deloitte. “It is bidirectional—IT has to ‘message up’ about security, and the board needs to say what’s important. The board needs to communicate what level of risk it is prepared to accept.”

Security training and awareness initiatives should have messages tailored to specific parts of the organisation. Another approach is for IT teams to present to senior management about their own security activities within the organisation, and supplement that with an external practitioner who can provide context about the wider business, security and risk landscape.

Risk appetiteThis starts by raising awareness and reporting to senior level about the current state of the organisation’s IT infrastructure and where the risks lie. “It is low-hanging fruit for all intents and purposes. If it’s driven by metrics, then IT can ask if it has reduced a particular issue to a level that the board is prepared to accept, based on its risk appetite. It’s a very intelligent way to steer the IT budget,” says Garrahan.

Although an organisation’s cybersecurity strategy is intimately tied to the commercial strategy, IT will often need to take the lead because they’re the ones on the front line, says Harris. “We see IT increasingly being asked to present around cybersecurity to boards, so when they get that opportunity, it’s important for them to ask questions of the board. Ask them what the important things they need to protect are—whether that’s customer lists or strategic plans. For this to work in an organisation, the board and senior management need to come to the same conclusion. It has to be a two-way street,” he says.

In the absence of business guidance, they have no choice but to protect everything. This is all about tone from the top. The business side of organisations need to take the lead on this, and understand the controls that IT puts in place are a control to protect what’s important, Mike Harris, Grant Thornton

Most organisations have used risk registers in list format, but that doesn’t take account of the pace of business change or shifting technology threats. “The days of the traditional risk register that you write up and you change the date the day before the auditors come in, are gone. It’s far more dynamic. It’s got to evolve on a regular basis—it’s an organic, moving thing,” says Langford.

Threat assessmentIn order to choose the right security technology to reflect the risks, organisations must first assess what systems and data they’re protecting, rank them in order of importance and assess the possible threats accordingly, says Dermot Williams, managing director of Threatscape.

“The reality is, the number of solutions and vendors is mind-blowing. You could spend an almost infinite amount on security, so you need a filtering approach. That means assessing what are the key assets you need to protect, so your risk profile matches your investment plan, and you’re not making knee-jerk reactions to the latest news. We advise going through a process of risk scoring that prioritises risk assets based on how vulnerable they may be and what the value would be to an attacker,” says Williams.

“We also encourage people to understand their threat surfaces and to focus on a solution that protects against those. It can be an endpoint, a server or even a user. If it’s a user, you educate them and make them less susceptible to clicking on suspicious links. If you don’t understand where your soft underbelly is, you’re not going to have the right armour to protect it,” says Williams.

“In terms of point products, we’ve been preaching a mantra that the mindset of ‘set and forget’ is no longer effective. You can’t just buy a firewall and antivirus and get on with life. It’s not like dealing with a rodent problem where you know what’s coming, what traps to set and where to put the traps down,” he adds.

Managed security servicesGrowing numbers of providers are moving to a managed service model, using security information and event management (SIEM) tools to harvest data from customers’ various security systems and produce a more holistic picture. After establishing a baseline for standard activity on the network, the security provider can then spot activity that differs from the norm and could indicate a possible breach.

I don’t think security hits the top 10 on a board’s agenda. I rarely hear it, unless they’ve been attacked or breached. That’s a problem, because then they’re reacting to the breach, rather than preventing it. Many companies haven’t invested enough in their security, Chris Casey, PFH Technology Group

This model is increasingly attractive for companies that are struggling with staff resources or budgets to pore over log files produced by multiple boxes. It also delivers a more proactive approach, by quickly raising a flag with the customer at the first sign of any incident. That is a big change from what normally happens, where some beleaguered IT staffer has to check the files long after a breach has been discovered.

An added advantage of this approach is that it doesn’t call for a complete scrapping of existing security systems, says Casey of PFH. “Don’t ignore what you have. It’s not a case of wipe it all out and start again. If small parts are missing from the plan, then you focus your spending there. Your existing investments are not sunken unless they’re wrong—and then they can lead you to a false sense of security, which is worse.”

Threat intelligenceLangford says organisations should also build some basic threat intelligence capability. “That may be looking at Twitter, talking to colleagues and peers in your industry and potentially your competitors because if they’re seeing a trend, it’s likely you will too. And it’s about being able to say APTs—whatever they may be—are not a risk, but phishing attacks are, or people hacking your network are not a risk, but CEO fraud is. That allows the organisation to decide to spend more money awareness and education than on perimeter defence.”

Taking a risk-based approach to security brings several benefits in terms of cost, resources, preparedness and procurement. “It is the difference between buying on spec as opposed to buying on plan. If you have a security plan, you’ve analysed the risks and you want to prevent certain threats, you can buy the right products, either combined and bundled or point solutions for your risk items. With a planned approach, your cost of support goes down, and your management effort goes down,” says Casey of PFH.

We advise going through a process of risk scoring that prioritises risk assets based on how vulnerable they may be and what the value would be to an attacker. We also encourage people to understand their threat surfaces and to focus on a solution that protects against those, Dermot Williams Threatscape

“It’s a matter of boxing clever with the limited resources you have, whether that’s budget or people, and deploying them correctly,” says Deloitte’s Garrahan. “By using an intelligence-based approach to responding to securing threats, it means you’re not spending time or resources looking at things that may not affect you. Using intelligence is like a force multiplier—with limited resources, whether that’s budget or people, how do you deploy them correctly? And if the board is informed of those risks, you get a budget that’s based on real-world, accurate and informed threats.”

Adds Mike Harris of Grant Thornton: “Any comprehensive risk-based security programme needs to have a response plan built into it. There’s a general acceptance that organisations are going to have security incidents. A risk-based approach helps them reduce the frequency of those incidents and the ability to respond reduces their impact.”

Ransomware and risk in the real world

It was telling that, in the wake of the WannaCry ransomware outbreak, the word ‘risk’ featured heavily in a statement from the security education group ISC2. “Information risk must be recognised as anything that contributes to undermining, interrupting or stopping operations. In the current landscape, business must anticipate interruption from cyberattack and develop the ability to keep the lights on, customers served and essential activities going in the event of an incident, whether caused by malicious intent, accidental activity or force of nature,” said Dr Adrian Davis, the group’s EMEA managing director.The NHS was one of the worst affected organisations in the attack, but Thom Langford offers a different perspective. “It may be that someone decided some years ago that they weren’t going to harden or replace the Windows XP systems because they can hire more doctors or buy more beds. While NHS has been lambasted, there’s good chance it was the right decision to make at the time. The risk-based decision was, we’ll take the hit on that when it comes,” he says.